This repository has been archived by the owner on Apr 14, 2021. It is now read-only.
Documentation should not recommend 'git://' URLs #2958
Comments
|
I agree, @peter-mtso. HTTPS should be the default because git over SSH requires that you have a private key known to the Git daemon available on the machine you're cloning (or subsequently bundling) from. Would you mind submitting a pull request to fix this? |
|
Sure, I can put together a draft for changes to the manpage and the website. |
|
Cool, thanks! |
This was referenced Apr 1, 2014
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
git://URLs allow a network "man-in-the-middle" attacker to easily substitute malicious code and compromise the user's machine. We should note this issue in the documentation and stop recommending this pattern. It seems irresponsible to provide examples which can get users compromised, while not even mentioning the problem or secure alternatives.(In the future, warnings for insecure URLs would be great, too)
The text was updated successfully, but these errors were encountered: